US Defense Contractor Exposes ‘Top Secret’ Info on Open Server

SHARE:

A cybersecurity firm has reported the discovery of 60,000 files from a US intelligence agency left on an unsecured public server with absolutely zero protection, not even a password.

The files were related to a military project being undertaken by the National Geospatial-Intelligence Agency (NGA), which uploaded the files to an Amazon cloud storage server that anyone could access.

Chris Vickery, a risk analyst with cyber resilience firm UpGuard, did just that. Among the files were sensitive information and even the security credentials of a senior employee with defense contractor Booz Allen Hamilton (BAH). There were also the login credentials needed to access code repositories that might contain classified information among the files. Vickery said that the information appeared to have been accidentally leaked by a BAH employee.

"Information that would ordinarily require a Top Secret-level security clearance from the DOD was accessible to anyone looking in the right place," UpGuard's Dan O'Sullivan wrote in a blog post about the leak. "No hacking was required to gain credentials needed for potentially accessing materials of a high classification level."

The files have since been secured, but anyone who found them before Vickery could have downloaded the files and used them to access NGA, Booz Allen Hamilton or Pentagon data.

The NGA has gone into damage control mode, issuing a statement where they claimed to have begun an investigation into the leak. "We immediately revoked the affected credentials when we first learned of the potential vulnerability," the Wednesday statement read.

"NGA assesses its cyber security protections and procedures constantly with all of its industry partners. For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action."

The NGA is the intelligence and combat-support agency that collects intelligence through geospatial imaging, social media georeferencing, and data analysis, earning them the nickname of the "Pentagon's mapmakers."

Their reputation suffered a catastrophic blow in 2013 when BAH employee and NSA contractor Edward Snowden leaked highly classified material. Another BAH employee, Harold Martin III, was arrested and charged with espionage when he was found to be in possession of over 50 terabytes of classified data in 2016.

This is the second time in recent months that sensitive US information was left online for anyone to see. In March, a cache of Air Force files that included the social security numbers of officers and classified information from internal investigations was found unsecured online.